Vendor Security Assessment FAQs

A knowledge base article about Vendor Security Assessment FAQs provided by the UC Berkeley IT Service Hub - Knowledge Portal

Can I request a new assessment for a Vendor that previously received a “Not Recommended” rating?

Units are allowed one (1) resubmission for Vendors with an overall Not Recommended rating. Before resubmitting, the Unit must ensure the Vendor has addressed the specific deficiencies identified in the initial assessment. If a Vendor receives a second Not Recommended rating, please consider alternative vendors or apply for an exception.

Why is there a limit on resubmissions?

Accountability: Limitations encourage Vendors to improve their security posture before seeking a reassessment.
Resource Management: Frequent reassessments for Not Recommended Vendors can overwhelm our team’s finite capacity. Each reassessment requires significant time and effort from both the Assessments Team and the Vendor.
Cost: Reassessing a Vendor incurs additional costs to order assessments from Venminder. By limiting reassessments, we can better manage our budget.

Who needs to be involved in a Vendor Security Assessment?

The roles that are typically involved in participating in a Vendor Security Assessment include the following:

Resource Owner or Proprietor	Campus unit representative who has overall responsibility for the application (e.g., budgeting and resource allocation).
Implementation Project Manager	Unit member responsible for the roll-out of the application or service, including (but not limited to) Vendor selection, contract specifications, configuration, process-flow design, personnel training, etc.
UC Buyer	Representative in the UC Procurement department responsible for the Vendor contract negotiation.
Vendor Representative	Staff member of the service provider responsible for completing the Vendor Security Assessment Questionnaire. Ideally, this person is affiliated with the IT department and is knowledgeable regarding the Vendor's security framework. Oftentimes, the person in this role is a Sales or Customer Support Representative who facilitates communication between the vendor's IT staff and the ISO Assessor.
ISO Assessor	A member of the ISO analysts team is assigned as the primary assessor responsible for the engagement with the unit.

How do I get started?

What do I need to do to initiate a Vendor Security Assessment with the Information Security Office?

To request a Vendor Security Assessment Program evaluation for a PL2 system that is vendor-managed, review the Details of the Vendor Security Assessment Program and then send an email to security@berkeley.edu.

Please include the following information:

Name of the unit requesting VSAP service
Project Lead contact information
UC Provisioning Representative contact information (if applicable)
Name of third-party vendor/product/service
Service description
List of protected data elements that are known to be processed, stored, or transmitted by the service provider (see the UC Data Classification Standard for details)
Estimated number of records containing PL2 data

What do I need to do if a Vendor's products or services use Artificial Intelligence (AI)?

It is important to understand how a Vendor's services/products may use Artificial intelligence (AI) capabilities to ensure that use aligns with UC's policies, advisories, and guidelines on AI. AI functionality in Vendor services/products must be evaluated for security, privacy, and general AI risks.

Regarding the Vendor Security Assessment process and AI, the following are some key questions the Requester should be prepared to answer in coordination with the Vendor.

ISO will ask you to provide answers to these types of questions when we initially triage your VSA request:

How does this AI service/product directly support your Unit’s goals?
How is AI being used in the Vendor's service/product? Please provide a detailed response. Technical descriptions are encouraged.
- What specific AI types are utilized (e.g. Generative AI, machine learning, agentic, or multimodal that process text, images and audio)
Is customer data (UC) used to train or refine the Vendor's AI models or mechanisms?
What types of data are processed and/or collected by the Vendor's AI services/products, and for what purpose?
If UC data is collected by the Vendor's AI services/products, is it anonymized?
Does the service comply with relevant AI-specific regulations? (e.g. EU AI Act, NIST AI Risk Management Framework, or other applicable industry standards)
What is the Vendor’s policy on the use of public or open-source models (e.g., Hugging Face)?
Does the Vendor's use of AI involve highly consequential automated decision-making on behalf of UC? Examples include:
- Legal analysis or advice
- Recruitment, personnel, or disciplinary decision-making
- Seeking to replace work currently done by represented employees
- Security tools using facial recognition
- Grading or assessment of student work
- Admissions, Student Conduct, or Healthcare decisions
Have you engaged the UC Berkeley Privacy Office to evaluate the privacy impacts of the Vendor's AI services/products?
- If you have not already, we recommend you reach out to begin the process as a privacy impact analysis on AI is needed in most cases.

Additional AI Resources

For questions regarding the appropriate use of AI tools, review the Appropriate Use of Generative AI page from the Office of Ethics, Risk, and Compliance Services
For an overview of policy, governance, and other guidance regarding the use of AI, see the AI at UC Berkeley page on the Berkeley IT website.
For consultation on assessing risk and determining risk remediation activities, consider engaging in the process overseen by the Committee on Enterprise Risk and Compliance's AI Risk Subcommittee (CERC-AIR)

What should I do with the Venminder report and ISO guidance letter after an assessment is completed?

Once a VSA is complete, ISO recommends reviewing the guidance letter and the Venminder report with your Unit Information Security Lead (UISL) to decide on the appropriate course of action for responding to the findings identified in the Venminder report. The ISO guidance letter, in particular, will provide information regarding what type of response the Unit requires per campus security policy.

The Vendor requires a Non-Disclosure Agreement (NDA) to release security documentation. Who should sign the NDA?

The Requester is responsible for signing any Non-Disclosure Agreements with the Vendor and informing ISO which documents are under NDA.

Inform the ISO Assessments Team on the corresponding ServiceNow ticket for your VSA request if the Vendor is asking that ISO or Venminder sign the NDA.

Will I need to provide any additional information or documents when requesting a VSA?

Yes, the Requester will be responsible for providing the following information when requesting a VSA:

Vendor primary point of contact (name, title, phone number, and email address)
Vendor name and product/service being purchased
A description of the Vendor product/service and how it will be used on campus
A completed UC Appendix DS Exhibit 1 form

Additionally, the following security documents will speed up the assessment process:

SOC 2 Type II report
- If available, include the Vendor’s SOC 2 Type II report. NOTE: Venminder will need the Vendor’s own report and not the report of the Vendor’s hosting provider, such as AWS, Azure, GCP, etc.
PCI DSS compliance documentation for Vendors that accept payment card data on behalf of UC.
- Please include the Vendor’s PCI DSS Self-Assessment Questionnaire (SAQ), Attestation of Compliance (AOC), and any other supporting policies or PCI compliance documentation.

ISO will no longer ask for the statement of work, contract/agreement, or the Vendor’s security plan.

How long will a VSA take using Venminder?

A typical VSA takes 4 to 6 weeks to complete, starting on the date the Vendor has provided all requested information. Please plan accordingly.

What are the responsibilities and expectations for Units and Vendors during the VSA process?

What are the responsibilities and expectations for UCB Units and Vendors during the Vendor Security Assessment (VSA) process?

Units requesting a Vendor Security Assessment (VSA) should review the following document and share it with the Vendor so that they are prepared for the VSA process.

UC Berkeley Vendor Security Assessments (VSA) - Responsibilities & Expectations (PDF)

What is a "3rd-party service provider"?

What is a "Vendor" or a "3rd-party service provider"?

A "Vendor" or "3rd-party service provider" is an entity (e.g., a person or a company), separate from the University, that offers something for sale. The typical types of Vendor services that require an ISO Vendor security assessment are technologies used to store, process, and/or transport protected data on behalf of the University, such as:

Software as a Service (SaaS) providers - companies that provide hosted application services (e.g., Google bMail)
Infrastructure as a Service (IaaS) providers - companies that provide hosted data storage or processing services (e.g., Amazon AWS)

These types of Vendors are required to meet the same campus policy standards for the protection of protected data that is required for applications and services that are managed by internal campus IT resources.

The contract has already been signed. What do I do?

My unit is contracting with a 3rd-party service provider for the handling of campus-protected data. The contract has already been signed. Should I still engage with ISO for a Vendor Security Assessment?

Although there is less bargaining power with the service provider to address security concerns after the contract has already been signed, it is still a good idea to perform a Vendor Security Assessment for service providers who are handling UC P3 or P4 data:

If the overall risk level is acceptable, the unit is assured that the Vendor complies with campus policy for protecting UC P3 or P4 data.
If the overall risk level is High or Critical, it may be necessary to postpone or suspend service until these issues are addressed.

Vendors may be more inclined to participate in a security assessment after the contract has been signed, but before the service has been initiated, as billing often does not begin until services have started.

For VSA reports with an overall acceptable risk rating, any medium-level risk findings identified in the report should be discussed with the Vendor during the next contract renewal period.

Are Vendor services available that have already been approved?

Are Vendor services available to the campus that have already been approved for UC P2/3 or UC P4 data?

There are several 3rd-party Vendor services that are readily available to the campus that have been approved for UC P2/P3 or UC P4 data. Campus units that adopt these 3rd-party services for the purpose of storing and sharing covered data can be assured that these vendors meet campus policy requirements.

Campus units that utilize these services for the handling of protected data should keep in mind that careful configuration and management of these applications is required to meet campus policy standards.

UC P4 Approved Services

CalShare, a web-based document management and collaboration system utilizing Microsoft SharePoint.
The Imagine document imaging and workflow service is a campus service with the core purpose of providing automated workflows, document management, and storage, and can be integrated with other campus systems as needed.

UC P2/P3 Approved Services

The bConnected suite of collaboration services, including Google Apps for Education (bMail, bCal, bDrive)
Box
bCourses Project Sites

Please visit the bConnected website to learn more about the MSSEI protection level ratings for each of these products: https://bconnected.berkeley.edu/collaboration-services

What is the purpose of the Vendor Security Assessment Program?

The Vendor Security Assessment Program is intended to ensure that service providers who handle UC P4 data on behalf of the University meet campus security policy requirements. This is achieved in two ways:

By evaluating the Vendor's security controls in comparison to campus policy.
Ensuring that the UCOP Data Security & Privacy Appendix is included in the Vendor contract to provide baseline protection for the University in the event of a data breach.

The Data Security & Privacy Appendix was not included in the vendor contract. What do I do?

The contract with the 3rd-party service provider has already been signed, and the UCOP Data Security & Privacy Appendix was not included. How will this affect the Vendor Security Assessment?

For all UC contracts involving third-party access to covered data, the University of California Office of the President (UCOP) requires the inclusion of the Data Security and Privacy Appendix. The appendix establishes baseline protection for the University in the event of a data breach. Campus units that engage with service providers to handle covered data must ensure the appendix is included in new contracts without edits.

For VSAP engagements that have been initiated after the contract has been approved, and the UCOP appendix has been omitted, the final assessment report will include contract-related risk findings. These findings are generally of a Critical risk nature, e.g.:

No guarantee of service provider compliance with applicable laws (e.g., FERPA, HIPAA) or campus policies for the protection of covered data.
The absence of requirements for a Vendor information security plan and breach reporting process.
Inadequate cyber-insurance to cover the cost of investigating and responding to a breach.

In these cases, the unit may be required to suspend the use of the service until the contract issues have been resolved with the Vendor.